Post-quantum cryptography

Introduction

Here's the one-minute introduction:
"Imagine that it's fifteen years from now.
Somebody announces
that he's built a large quantum computer.
RSA is dead.
DSA is dead.
Elliptic curves, hyperelliptic curves, class groups, whatever,
dead, dead, dead.
So users are going to run around screaming
and say 'Oh my God, what do we do?'
Well, we still have secret-key cryptography,
and we still have some public-key systems.
There's hash trees.
There's NTRU.
There's McEliece.
There's multivariate-quadratic systems.
But we need more experience with these.
We need algorithms.
We need paddings, like OAEP.
We need protocols.
We need software,
working software for these systems.
We need speedups.
We need to know what kind of key sizes to use.
So come to PQCrypto and figure these things out
before somebody builds a quantum computer."

For much more information,
read the rest of the book!
There are five detailed chapters surveying the state of the art in
quantum computing,
hash-based cryptography,
code-based cryptography,
lattice-based cryptography,
and
multivariate-quadratic-equations cryptography.
The book has a 2009 publication date
but was already available in November 2008 from booksellers such as Amazon.

For earlier analyses of the impact of quantum computers on cryptography,
see the following papers: